Under the hood of F5 BIG-IP LTM and Cisco ACI integration – Role of the device package

Note: This article is archived. The Cisco APIC integration based on iWorkflow has been phased out as iWorkflow version 2.3 is the last release shipped with the Cisco Device Package. Other orchestration and automation options include use of Cisco Cloud Center, Network Services Orchestrator and Ansible which are being documented.

Since the FCS of F5 device package for Cisco APIC last month, we have seen a lot of interest and excitement from customers and the field alike, to understand how the combined open ecosystem value between Cisco ACI and F5 BIG-IP gets enabled. One of the critical components from F5 for this solution is F5 device package, which serves abstracting the L4-L7 service device in a way to allow the Cisco APIC to automate and provision a network service that attaches to the ACI fabric.

The concept of Service graph

In addition to network service device configuration, deployments come with the need for subjecting traffic to flow through a sequence of L4-L7 service instances depending on the policies configured. In other words, there is also a need for representing this sequence or chain of L4-L7 service functions for easier service provisioning.

Cisco APIC provides the user with the ability to define a service graph with a chain of service functions such as Web application Firewall (WAF), Load balancer or network firewall including the sequence with which the service functions need to be applied. The graph defines these functions based on a user-defined policy for a particular application. One or more service appliances might be needed to render the services required by the service graph.

Device Package

Cisco APIC offers a centralized touch point for configuration management and automation of L4-L7 services, while the F5 device package makes that possible so APIC can interface with the service appliances (Physical or virtual) using southbound APIs. For example, in order to allow configuration of L4-L7 services on BIG-IP by Cisco APIC, the F5 device package would need to contain the XML schema of the F5 device model which defines parameters such as software version, SSL termination, Layer 4 SLB, network connectivity details, etc. It also includes a python script that maps APIC events to function calls for F5 BIG-IP LTM.

Device Specification

The Device specification is an XML file that provides a hierarchical description of the device, including the configuration of each function, and is mapped to a set of managed objects on the APIC. The Device specification defines the following:

Model: Model of the device - (BIG-IP LTM)

Vendor: Vendor of the device - (F5)

Version: Software version of the device - (1.0.1)

Functions provided by a device, such as L4-7 load balancing, Microsoft Sharepoint, and SSL termination

Device configuration parameters

Interfaces and network connectivity information for each function

Configuration parameters for each function

Device Script

The Device script, written in Python, manages communication between the APIC and the F5 device. It defines the mapping between Cisco APIC events and the function calls representing F5 device interactions, and converts a generic API to F5 device-specific calls. This is where the device script written in Python comes into picture. When a tenant admin uploads a device package to APIC, the APIC creates a hierarchy of managed objects representing the device and validates the device script.

Device Package integration workflow with Cisco APIC

In order to manage BIG-IP LTM service node through APIC, the tenant administrator must explicitly register the BIG-IP LTM. Device registration occurs when admin adds a new device to the network; the registration process informs the APIC of the device type, management, interfaces, and credentials so that the APIC can add the device to the fabric.

Fig.1 shows the high level workflow

Figure 1 – Device Package integration Workflow

The tenant admin uploads the F5 device package to Cisco APIC using northbound APIs or the APIC user interface.

Tenant admin must also define the out-of-band management connectivity of BIG-IP LTM along with credentials.

If the network needs traffic steering through F5 BIG-IP, the tenant administrator configures the service graph under the Layer 4-7 profile for tenant and adds service functions predefined in the F5 device package using device modification and service modification python function calls.